What Vanity License Plates can Teach Us About App Security and SQL Injection


In the United States of America, a vehicle owner can obtain a personalized license plate called "vanity plate". A vanity plate is also sometimes  referred to as a “prestige plate” or “cherished plate” and automobile owners pay additional money to the Department of Motor Vehicles (DMV) to keep them. These plates which might have quotes, abbreviations, etc., represent the vehicle owner’s name, interest or passion. Examples of vanity plates include “AWH-SUM”, “GONA B L8, “NOT POOR”, “DUUUDE”.

In the next couple of paragraphs, I have tried to illustrate a few examples of how the owners of these vanity plates ended up in tricky situations due to a logical flaw in the license plate registration process. This flaw is very much akin to and analogous to the well know application security SQL injection vulnerabilities. Per OWASP, SQL injection vulnerabilities allow SQL commands injected into the data-plane to effect the execution of predefined SQL commands.


Droogie’s SQL injection exploits

Several articles on the story of a hacker named Joseph "Droogie" Tartaro were published on the Internet a few days ago. Droogie thought he had found a way to stop paying his traffic violation fines, but on the contrary ended up in a situation where he was getting ticketed for infractions that he had never committed. He shared his interesting experience at the DEFCON 27 convention with this publication: Go NULL yourself. In this story, he talked of a CIA funded company Palantir, a private big-data operator used by the states and law enforcement agencies to identify and access personal data, especially related to license plates (reference here and here). 

By exploiting a leaked document on the Internet (search 6190005/PALANTIR-Guide.pdf to obtain URL), Droogie had the idea to exploit a potential weakness in the police search system by using the simple SQL keyword "NULL". He registered for and secured a vanity license plate that simply read “NULL”,and hoped to “confuse” the automated license plate reader systems that issue fines for traffic violations. Although, the effect of his indulgent experiment was the exact opposite of what he intended, he has, however, demonstrated a deep vulnerability in the design of the system, where it could not resolve a unique identifier. In case you are wondering what happened, Droogie ended up getting fined for all the violations that the system could not identify the license plates for. All those violations were being tagged by the system to license plate not known or “NULL”.  

Missing choice leads to a SQL injection type case

A similar story unraveled way back in 1979, which was more of a mistake and less of an intentional action. In this case, request for a vanity license plate was misunderstood. The requestor named Robert Barbour had the option to make three choices on the vanity plate request form for what should appear on his plate.  However, he was interested in only two specific ones and would rather not have a vanity plate if he did not get one of his two choices accepted by the DMV. Hence, he went ahead and wrote down his two choices as "SAILING" and “BOATING”. He entered his third choice as "NO PLATE", just because he did not have a third choice and did not want to make one. “BOATING” and “SAILING” being already reserved by someone else, the DMV validated Robert’s last entry as a choice and gave him a “NO PLATE” license plate. Barbour kept the plate and a few weeks after, started receiving dozens of overdue parking fines just because some law enforcement officers were using "NO PLATE" to write penalties and fines for the cars that bore no license plates.

A few other stories also exist around "NO TAG" or "MISSING" words. All of them demonstrate the exploitation of a similar flaw in SQL query system, which is very near to code or SQL injection. SAST tools like CAST  can automatically reveal injection type application security breaches through deep parsing. 

Here are some “injection” specific rules analyzed by CAST Security.

CAST Security rules are based on best-in-class industry standards like OWASP, NIST, CWE, STIG, PCI, CISQ & OMG.

Interested in checking out how you could avoid SQL injections using CAST? Talk to our expert now.

Guillaume Diamant
Guillaume Diamant Consultant en infrastructure bases de données, Architecte IT
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item